Before we switched to Mikrotik, I was using two servers to handle our wireless network:
1. A Linux machine running iptables and dhcpd. Any customer with one of our wireless CPEs could connect to our towers.
2. A Linux machine running bridge-utils and ebtables (to prevent arp cache poisoning). We would manually configure our business public IP addresses to run through the bridge.
This setup worked great, but once people cracked any wireless encryption, they could get onto our networks without a password. That's why we are now using PPPoE on Mikrotik.

I have just set up my first Mikrotik RouterOS on an Intel Based PC. I have successfully set up PPPoE. Customers get 192.168.20.X addresses if they've paid for 512k download speed, 192.168.30.X if they've paid for 1024k download speed, and so on up through business class speeds. They are routed through the Firewall and it is working great.

But now, many business customers are requesting that they receive a static public IP address to access their servers from home. We have multiple class C's so we have plenty of public addresses, I am just not sure how to set it up here. I know I can hand them a public IP address via PPPoE, but it still routes them out on the internet through the Router OS box. Do I need to set up bridging to enable this? And once I do, how do I ensure that those with public IP addresses are fully accessible from the public internet? Any help or suggestions on setting up both public and private IP addresses on a network would be appreciated. If we should go to all bridged public IPs, please say so. If we should keep everyone routed, but somehow allow a customer to have their own public IP, I would welcome any suggestion.

Is this not a Beginner Question? Maybe this topic should be in the General section. I can delete this and repost this somewhere else if it is suggested.

Are you saying that you do not want the customers with the public IPs to go straight to the internet from the RouterOS device, but rather want them to go through a separate firewall from the one in the RouterOS device? I currently use the PPPoE server on a RB532A running RouterOS myself in a fashion similar to what you are describing and I'm just using the built-in firewall.

I want the customers who have public IP addresses to go directly out on the internet without passing through the RouterOS firewall at all. I do not want the masquerade srcnat rule to apply to those clients. They need access to all of their ports directly. As an example, if they receive the public IP address 1.2.3.4 from the PPPoE server, and they run a web server, they should be able to go home and type in http://1.2.3.4 in their browser and connect to their system. All the customers with 192.168.X.X should continue to go through the firewall.

techsimp: yes, it sounds like we are running almost the exact same thing right now, but I need to add this level of service for people who do not want to go through the firewall. I just am not sure if this is done in the Firewall rules or if I have to create a Bridge.

Thank you for any help that you can provide. I will continue working on this until I have a resolution. I will post if I figure it out.

I haven't used NAT on my setup, but as I look at it through Winbox, it appears that you can assign the srcnat to a particular input and/or output interface. In my setup, each pppoe session shows up as it's own interface, and thus I believe they would not be subject to any rule applied to the srcnat interface. Can anyone verify my assumptions? If I'm correct, then all you'd need to do is go back to each of your rules and add to the rules the particular input/output interface corresponding to your srcnat customers.

kccoyote did you ever get this going since? I am looking at doing the exact same setup.

This post by KCCoyote was his resolution to this issue, I've used it and it works, if you have any trouble let me know I struggled with this one for a week or so reading through the same posts, once the light goes on its easy, as long as your provider routes your public addresses to you.

http://forum.mikrotik.com/viewtopic.php?f=2&t=24797

Gents,

I have a configuration that's very similar to KCCoyote, the only difference being that I use a Layer 2 VPN connecting a remote site to a Data Center. The reason for the VPN is that I need to encrypt the traffic as well as use the Public IPs that I have at the Data Center. The VPN is working and so is the PPPoE server, but the problem that I have is that when I go to http://www.whatismyip.com, the IP that shows up is the one for the Router at the Data Center and not the one that I assigned to the customer via the PPPoE server.
Here is a snapshot of my topology: Any suggestions will be appreciated.

Thanks,
-moya

So do not src nat those IPs. The router is not going to do that unless you tell it to.

Post your configuration, including PPPoeE server setup, IP pools and firewall (NAT at least).

Thanks for the prompt reply Fewi,

My intention is to do away with NAT, and only use public IPs for the customers.

Here is the info that you requested:


----------------------------------
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
add bridge=local_bridge change-tcp-mss=default comment="" name=he_vpn \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
add change-tcp-mss=default comment="" local-address=watson name=watson-pppoe \
only-one=default remote-address=pppoe use-compression=default \
use-encryption=yes use-vj-compression=default
add change-tcp-mss=default comment="" local-address=watson name=vpn only-one=\
default remote-address=vpn use-compression=default use-encryption=yes \
use-vj-compression=default
add change-tcp-mss=default comment="" dns-server=8.8.8.8 \
local-address=xx.xx.67.29 name=public_67 only-one=default remote-address=\
public67 use-compression=default use-encryption=yes use-vj-compression=\
default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=my@domain.com password=test profile=watson-pppoe routes="" \
service=pppoe
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=my@domain.com password=passme profile=vpn routes="" service=pptp
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=my@domain.com password=123 profile=public_67 routes="" service=pppoe

----------------------------------
Pools

[admin] /ip pool> print
# NAME RANGES
0 pppoe 10.10.40.5-10.10.40.254
1 watson 10.10.50.10-10.10.50.50
2 vpn 172.17.4.5-172.17.5.254
3 public67 xx.xx.xx.40-xx.xx.xx.60

----------------------------------
Firewall NAt
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
local_bridge
add action=masquerade chain=srcnat comment="" disabled=no out-interface=cable




Thanks,

-moya

without more information on your topology:

Fewi,

That didn't work, so I must have an issue somewhere else. I made the same change on both routers - the local one and the remote.
When I check the IP I get the one from the WAN interface on the remote router (remote being the one at the Data Center). I will recheck the configuration on the remote one as soon as I get back.

Thanks for you help and time.

Regards,

-moya

Just to be clear, that was supposed to replace what you already had. The basic idea is to build an address list of addresses that are not to be NAT'd, and then tell the router not to NAT them. Alternatively you can also exempt them like below without editing existing rules: And move them to the very top of the list of NAT rules.

That is what I did, but I need to give it a close look and make sure that I don't have any silly mistakes in the configuration.

I will be gone for the next 10 days, but if you don't mind I would like to continue then.

Thanks again for your help and time.

Best regards,

-moya